Went to a two days trip with ny kids who missed the summer holiday because of the deadline I was given to finish my car. In the hotel room here was a tablet. Was. We are still here but the tablet isn't. I tried the tablet and it launched a default launcher for hotel guests but could not connect to wifi. And I wasn't able to get to wifi settings.

I was annoyed. First I started to tap the screen untill I managed to see a flash of the normal desktop. So it's there. Then I rebooted the machine and tapped the screen again and got to a point that it possibly concluded there is an error and let me choose the launcher. i chose the normal view and got in to the normal desktop. Wen't to settings and noticed that the developer mode is on and also installing software from unknown sources.

At this point the wifi started to work. It connected to a private wifi. It was a security providers wifi and even if I closed the wifi it put the wifi on again and connected to it. So I tapped all the connections and tapped "forget" and the device stopped putting the wifi on.

After this started to check the settings more. Administrator settings. Find my device is on. Not anymore. But there was this one app (which I assume was the security providers app) that I could not put off. But I had been able to do enough.

In this room there is a tablet with developer mode on and possibly it has programs from untrusted sources, because I got access to almost everything. And it had the bluetooth and wifi on when we came to the room. And it did not work as supposed when I first tried the device. So I took the device to the reception and told that this device has bad security problems and I do not know what programs have been installed on it and don't want to have it in my room. I also wrote to a piece of paper the problems I had found. That was yesterday.

This morning went for a morning coffee and cigarrette outside the hotel. When I went out the were two eastern european guys outside. When I got out the other guy went a bit further to smoke his cigarrette but the other guy with a backpack came to stand like 1,5m from me. I thought he was about to ask for a cigarrette but he just stood there while I drank the coffee and smoked. Then he went to his friend and they both started to look the guys phone. Aaargh. Skimmer! The guys shooked their head, watched me and left.

I was first alert that now I got skimmed and I have this my daughter's old unsecure Honor 9 lite android in use. But - I have always bluetooth off, I have wifi off, I had also turned mobile data off for the night, I have no paying apps, I have set the firefox as the default browser and set it to delete everything when closed so there should be not too much to be found from my device.

But I got my wallet in my pocket! Remembered I asked for and got a bank a card without the wireless option, so no paying without the pin should take place. Or yes, I think there still is this less than 25 or 50 eur buys accepted without the pin. So there is a possibility that they will get some money. But I believe bank has some sort of alert if they notice unnatural money traffic from my account.

To know makes life more interesting, but it also makes you paranoid.

So what's the scam they're working? I've been wary of the contactless cards since first hearing about them, but the companies say there's no risk. A fraudster would first have to have a device capable of communicating with the RF responder in the card. I'd assume that a POS terminal would work for this purpose, and one could be stripped down to the essentials for portability, and perhaps equipped with a purpose-specific antenna so it could get a little better range when "talking" to the embedded chip.

So, my guess would be:

1. Use bootleg POS to initiate a transaction to, say, Ivan's Candy and Cigarette Vending Co.
2. Collect funds (while providing nothing in return, of course)
3. Launder that money out of the system before financial network notices you're a scammer.

#3 would be the tricky thing, right? You need to have a legitimate account of some kind to collect the money, don't you? Banks wouldn't hand these out willy-nilly, would they? When I open a bank account, I gotta show ID, prove where I live, provide my tax ID number -- and all of that in person. It would irritate me, to say the least, that this process is easier for an organized mob (Heck, they wanted me to present my child -- in person with both parents present -- to open a linked "kid's account" at my bank. Not a new account, mind you, just an accounting trick to segregate kiddo's money so they can feel it's theirs and learn to bank!)

Maybe I lack the imagination required to lead an international crime ring. And the muscle to be a regular goon.

But . . . when I did receive a contactless card recently, I still "disabled" that feature. Amusing to see clerks whack it repeatedly on the POS. I'm easily amused -- we don't have cable TV, after all.

Put on youtube RFID cloning and you will be shown all the equipment and techniques you need for cloning cards from a distance. Have watched too many of them to feel secure anymore.

1) the amount maximum limits the (potential) damage
2) after a number of transactions, pin is required
3) you need an aquirer agreement, to recieve payments (no, not just a bank account)
4) aquirer, and banks, fraud systems will very quickly catch the fraud

If you want to play, get a proxmark.

That's how it worked at same start when first contactless card has been used. Now those thieves are using the smartphone with NFC connected with android app, which can be purchased somewhere over darknet which is connected to the rigged account and then they just buy cryptocurrency to laundry the money. Even if they can make one transaction with each card, they can make a lot of money just in one bus/tram/train.

Use your car , no bus no train,no tram : ) Avoid crowds ( covid. 19) and use protective shield with card.

So it looks like they're cloning RFID cards, like access cards for offices (or hotel rooms) but not bank cards with the contactless EMV (ISO/IEC 14443) right?

I think the only RFID thing I have with any access to anything financial is the card I use with the EV charging station. That's got $10 of stored value on it, and it can "recharge" (it's a pun) from a credit card automagically $10 at a time. I guess a crook could sell the charging credit at a discount, like a stolen gift card would be . . .

https://youtu.be/SLGl9X9LBv4

Interesting.

I liked this quote:

"The key attack, the one that's most used, is just stealing the card out of someone's mail."

I didn't quite figure out what the presenter meant by cloning transactions (possible) vs cloning cards (uneconomical). I mean, I know all the words -- I have the best words -- but I didn't quite get what he was doing with it. Not a crime-nerd, just a regular nerd I guess.

Also, the idea that places where chip "dipping" requires a PIN but chip waving doesn't seems incredibly contradictory. I mean, you know someone has physical possession of a card if they can insert it in a POS.

Anyway, the only bank card I have with a contactless feature has been deactivated by Bosch (with assistance from MagLite) JIC.

Anyone willing to help? Bought Moto G8 and tried to install LineageOs on it. Now my phone still tries to boot on adroid, the wellcome screen appears but the display is unresponsive so can't anymore start even the android. So if someone knows these stuff well you could pm me and I can give you detailed explanation what I have done and which guided I have followed, what images I have used etc. I have unlocked the device with code I got from motorola and have followed guides from xda, droidtips etc. pages. I think I need some fasboot commands to wipe stuff before I can continue. I have tried to install LineageOs 18.1 from xda member sjill or something. The reason may be that I possibly have updated the android system to newer than 10, then I have tried to flash the stock10 android as told in the guide I should have, but maybe I did something wrong and in wrong order.